What is MFA?
MFA, short for Multi Factor Authentication, is a challenge/response form of authentication that relies on at least 2 factors to decide you are the owner of the identity you are claiming. We are all familiar with single factor authentication, the traditional username and password combination. MFA relies on a combination of one or more of the following: something you know such as a password, something you have such as a device, or something you are such as a fingerprint. More information can be found at: https://www.csustan.edu/oit/about-oit/information-security-policies-and-standards/multi-factor-authentication
What is Duo?
Duo is the third party service that specializes in providing a second factor service(something you have) to greatly enhance the security of our Warrior accounts. It steps into the existing username/password workflows of many different external systems to prevent many common username/password-only attacks seen throughout the world that usually result in the loss of sensitive information. Our campus uses the Duo service on our Single Sign On system and for our Office 365 environment.
Why do I need to use Duo/MFA at all?
MFA protects not only the account of the person who uses MFA, but also the data they have access to. So whether you only have access to your own data, or the data of others, adding MFA is one of the greatest security measures that can be taken to protect your account and the data you access. Many security breaches and incidents occur around the world each day because of compromised usernames and passwords. One of the questions that is becoming more and more common after these incidents happening around the world is: Do you require MFA to protect the accounts and the data those accounts can access? Many institutions such as banks and healthcare providers have started rolling out MFA requirements for their customers to help protect their data. One of the other benefits to you being enrolled in Duo MFA at Stan State is that the security of your account increases so significantly that you do not have to change your password again for 10 years.
Why do I need to use Duo so often?
Duo is part of the login workflow of both our SSO system and for our Office 365 environment, so it triggers each time. However, there is a feature of Duo that keeps you from having to Duo every time. Watch out for the “Remember me for 1 day” checkbox when you’re using Duo to help with the number of times you have to use Duo. This is a full 24 hour timer, so depending on the timing, it is possible to only see Duo within the same browser once every one to two days.
Why do I still seem to have to use Duo so often even if I use the “Remember me for 1 day” checkbox?
This could be caused by a number of things. This setting is only kept within one browser when it’s used. So if you use multiple browsers, you’ll likely see Duo at least twice during the session that you’re using more than one browser. Another reason for this is that many desktop applications that utilize a web based form of authentication, such as our Single Sign On system or a sign on to Office365, commonly use a simple, built-in web browser to complete that web based authentication. This counts as a separate browser, which wouldn’t know that you may have used Duo in another browser, so you’re asked to respond to Duo again.
I enrolled in Duo to use a particular service that required it, but now all the other services I use are requiring Duo. Why is this?
Once you are enrolled in Duo, your account is protected by Duo for all services that support it.
I have Duo now, but I don’t want it. Can I remove it from my account?
With the CSU's continued focus on securing Level 1 data and ensuring the security of business transactions, MFA is becoming a directive and requirement across the CSU system at every CSU campus. Much like the time that passwords were introduced as a required method to secure access to systems, MFA is becoming a new global requirement across various industries.
Why do I need to use my own smartphone or tablet for Duo?
This is primarily for convenience. It’s “something you have” that is usually nearby most of the time. MFA has historically only been available with specific vendor equipment that is often cumbersome to use and not something that’s kept readily available. With such a high percentage of people with mobile phones over the last several years, this has helped modernize and ease the MFA experience. Using the Duo Mobile app’s Push feature, is by far the easiest way to use Duo for MFA. As a secondary result, it decreases costs to our campus since it replaces the need to purchase specific vendor equipment.
What’s the difference between SMS(text messages), phone calls, and Duo Push via the mobile app?
All of these methods perform the same basic function: to provide a second step verification of the first step provided(username and password) to ensure that the person entering the username and password is really who they say they are. The differences are more about experience. With SMS(text messaging), entering a code is required, which could be mistyped and takes a bit more time. Phone calls are slightly better in that you’re responding with a key press during a phone call, but still takes a bit of time to answer the call. Duo Push through the mobile app is the simplest method as it reduces the MFA check to one approval within the app, often with just one button press/tap. Another reason that Duo Push is ideal is because both SMS and phone calls still rely on telephone companies that charge per call/text message, so Duo passes on that cost to our campus to use those features. Duo Push relies on just simple, secure messages across the Internet that aren’t charged per use, so Duo does not charge for using the Duo Push feature.
Is Duo Push secure?
Yes. Even more secure than SMS(text messaging) and phone calls. All connections are encrypted and use secure connections. More information can be found at: https://duo.com/assets/pdf/Promoting_Push_Guide.pdf
Does installing the Duo Mobile app compromise my device in any way?
No. Your device is still entirely yours, as it should be. The function of the Duo Mobile app is to provide a response to an MFA prompt and nothing more. The Duo Mobile app cannot access any of the other apps on your device, it cannot access any personal information, and it cannot change any settings on your device. More information can be found at: https://duo.com/assets/pdf/Promoting_Push_Guide.pdf
I don’t get notifications on the Duo Mobile app. I have to open the app on my device each time. How do I fix this?
This is dependent on what device you’re using, but the Duo Mobile app needs your permission to send you notifications. These notification settings are specific to each device. Try these steps for Apple iOS, Android, and other devices.
I’m already enrolled in Duo, but I want to add other devices. How can I do this?
It is highly recommended to enroll more than one device in Duo if possible. This ensures that there’s always “something you have” available to complete the Duo prompt, or to add even more devices via self-service. To do this, look for the “Add a new device” and “My Settings & Devices” links the next time you’re logging in and being prompted for Duo, before responding to the Duo prompt within your web browser.